NerdRage: Social Engineering is not Hacking

Posted by matt in nerdrage

Image by LynchMob10-09.

I would bet that neither you, nor anyone else you know, has ever been actually hacked. I know many who were socially engineered though…

Note from Matt: As someone who has had his info socially engineered in the past, I can really feel for Mat’s situation. This article is in no way a knock on him, but I feel his situation presents an event that pushes this issue into the light.

Yesterday a read an article by Mat Honan of Wired. It documents in detail how his Apple, Google, Twitter, and Amazon accounts were recently compromised. His Apple devices were remotely wiped, his personal data was lost, and his entire digital livelihood was shaken at its foundations.

According to Mr. Honan, he was “hacked”.

You have probably never been, and probably never will be, “hacked”

I hear this word tossed around all over the web these days. Did someone take over your Facebook account? You must have been hacked! Did you start receiving loads of spam email out of the blue? Hackers must have dunnit! Someone gained access to your Xbox Live account and started spending your money? Those hackers are ruthless! I understand what Mat Honan went through on a smaller scale, as my Xbox Live account was taken over by someone many years ago when I ran a popular Halo web comic called Halo Babies. Unlike Mr. Honan’s unfortunate story, this person gained access to my popular Xbox Live account to phish info from other users and to buy content using my credit card.

How did this person gain access to my account? The fault was as much mine as it was his. On my part, I provided far too much information on the web than I realized. The WHOIS for my website listed my current address and phone number (something I didn’t even realize was public before this all went down), and my email address and other personal information was available in my forum profile on HaloBabies.net. The phisher took this information, and after around eight calls to Xbox support, gained access to my information through tech support agents providing him with little bits of my personal info.

So what exactly is phishing? Wikipedia has a great definition: “Phishing is attempting to acquire information (and sometimes, indirectly, money) such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.” What happened to Mat was not technically phishing, as I will explain below. Hacking is defined by wikipedia as a ”means of finding out weaknesses in a computer or computer network…” Many other definitions are similar, with Dictionary.com calling it an action “to break into (a server, Web site,etc.) from a remote location to steal or damage data”. 

What happened to Mat and myself was far from hacking, but it also was technically not phishing either.

Remember when Sony’s account servers were broken into, and thousands of username, passwords, and credit card numbers were stolen? That was hacking. Someone had to exploit a backdoor or other vulnerability in Sony’s firewalls, server security, and more. They then physically access the data and copied it to their computer to use for their own end. Sony was hacked. When someone calls tech support pretending to be you, they aren’t “hacking” anything. They are socially engineering your data and identity to fool a larger company or service provider into thinking they are you.

Consequently, the person who performs these fraudulent actions is not a hacker, but rather a social engineer. There are all kinds of types of social engineers, from those who use real phishing scams over email and chat, to others who use similar tactics over the phone. Sure, many of these people might actually be skilled at hacking as well, but hacking and social engineering are two different fields, skills, etc.

Phishing is the act of pretending to be a larger company to take advantage of its users. Fake emails to “reset” a user password or offering special content and deals if the user signs in at a specific site are not uncommon in phishing scams. These are people who pretend to be a large company to trick the individual user. However, in both mine and Mat’s stories, we were preyed on by someone who pretended to be the individual user in order to trick the large company. This is much closer to reverse-phishing, or rather, social engineering.

I’ll admit, saying “my Facebook got socially engineered!” doesn’t exactly roll off the tongue, but it’s the truth. Perhaps saying your account was reverse-phished or “engineered” sounds better. Either way, we need to call this stuff what it is, and hacking it is not.

Why do I care?

We live in a society that does everything it can to avoid taking responsibility for its actions. Spill hot coffee on yourself? Why not sue McDonald’s? Too lazy to turn down the volume on your iPod yourself? Sue Apple! Hacking is generally not something that the standard end-user can avoid. Sure you can install consumer firewalls on your PC, but a skilled hacker will know a dozen ways to compromise them. All that said, let’s stop kidding ourselves. Who would ever actually want to hack your computer? Unless you’re storing high-level corporate secrets on your un-encrypted hard drive, I bet the answer is no one.

However, becoming a victim of social engineering is something you can avoid. I was at fault when my Xbox Live account was stolen, and Mat Honan was at fault when his various accounts were taken from him. Mr. Honan may have used the wrong terms when referring to the tragedy the happened to him, but he does not shirk any responsibility. He is very clear that had he been more careful about what information he shared online, the issue could have been avoided.

When I hear someone say “OMG my Facebook account got hacked,” it’s always with the attitude that they did nothing wrong, and that some random stranger just decided to torment them for some reason. There is no responsibility taken by the user at all, and they live in mystery as to why someone would “hack into Facebook” to steal their data. It is a form of shedding any responsibility for something that could have easily been avoided, and that bugs me.

It’s a long shot, but perhaps if we start using proper terminology to describe these identity attacks people will feel a more urgent need to double-check the information they share publicly. From my discussions with internet users, both novice and experienced, there is a common theme of feeling completely helpless from “hackers who are out there roaming the web for victims.” Almost no one I have spoken to has said anything about steps they can take to secure their own information. If we present realistic dangers in realistic terms for average users, instead of using terms that have been twisted and over-glorified over the years, maybe some light bulbs will go off. If we keeping telling everyone they’re getting “hacked” at every turn, people will continue to feel helpless, and the scum of the internet who facilitate social engineering and phishing scams will keep prevailing. If there’s no way to fight them, why bother?

Hackers are a tough enemy, and very difficult to stop without advanced technical skills and software. However, social engineers are generally no different from you or me, with a bit of extra insight into how various social sites and companies work. Is it too much to ask that we stop glorifying these people as “hackers”? The title connotes an undue sense of accomplishment to these people despite most of them having very little experience actually hacking anything. The less sexy it is to be a social engineer, the less kids will strive to be one, and the less scary their tactics will seem to average users.

At least that’s the hope.

/rant

  • http://www.facebook.com/dustinnewell Dustin Newell

    Hacking.  Social Engineering.  Phishing.  Phreaking.  Scamming.  Cracking.  Black Hat, White Hat, Grey Hat, Blue Hat.  Hacktivists and Script kiddies.

    “Hacking means finding out weaknesses in a computer or computer network.”  This weakness includes people, users, administrators and help desk staff.  It also, despite popular opinion, isn’t always a bad thing (http://en.wikipedia.org/wiki/Hacker_definition_controversy#Hacker_definition_controversy).  I think this best sums up what I think of when I think of hacking:

    “A possible middle ground position has been suggested, based on the observation that “hacking” describes a collection of skills which are used by hackers of both descriptions for differing reasons.”

    Your definition of what hacking is does not represent what the actual hacking community feels the definition is.  Popular media, the news’, and the general public’s definition of hacking is does not represent what the actual hacking community feels the definition is.  The actual hacking community’s definition is not even one of consensus, there are differing sides with differing viewpoints, and so it could be said that ALL definitions are both correct and false.  That is tangential to my point:

    I don’t think that narrowing your definition of what hacking in actually helps anyone.  Insisting that someone was not hacked, that they fell victim to a phishing scheme or were reverse engineered doesn’t change what happened.  It doesn’t change one’s attitude or habits, in fact it can actually serve to further frustrate someone who is already not computer savvy. 

    You bring up good points, in that general users fail to take responsibility for their plight and blame their problems on an unknown, such as hackers.  However trying to make a distinction between hacking, phishing, and social engineering doesn’t help that problem, it confounds it.  The root problem isn’t the definition of what happened, it is the causes that lead up to the hack.  

    - Passwords written down on a sticky note in your drawer.  
    - Using the same password everywhere.  
    - Using a weak, well known password.  
    - Running a server with an unpatched vulnerability.  

    Narrowing your definition about what happens to you should you fail to be vigilant in one of these areas does not fix these issues.

    This Honan example is a multi-stage failure.  Failure on the Apple reps who didn’t follow the process in verifying the identity of iCloud account holders.  Failure on Mat’s part when he linked his accounts together, rather than have a secure failsafe in place to prevent this cascading level of access to his accounts.  Failure on Amazon’s part in disclosing potentially private data without first confirming the requesting party.  Just because not all the tools were used, doesn’t make it any less of a hack.  If the person(s) responsible for breaking into Mat Honan’s accounts were able to purely with social engineering, the gravity of what they did is not lessened because they didn’t exploit some other security hole to do so.

    • http://www.happilymarriednerds.com/ Matt

      Maybe I didn’t make myself clear, but I absolutely couldn’t care less about what the “hacking community” considers a hacker. With how glorified and blown out the term has become, I’m sure they would consider using an Etch-a-Sketch to be hacking, as long as they keep their beloved “hacker” title. The problem is that the hacking community has widened the definition of the term so much that “normal” computer users have absolutely no idea what it means.

      Uninformed consumers = uninformed decisions. People are ALREADY confused about what hacking is, how would specifically defining it and classifying it to it’s original meaning make people more confused?

      ““Hacking means finding out weaknesses in a computer or computer network.”  This weakness includes people, users, administrators and help desk staff.”
      I suppose we’ll have to agree to disagree. I have absolutely no idea how “computer” or “computer network” even remotely translates to people. As I’ve said before, if a hacker is simply someone who “exploits weaknesses” in everything, then everyone is a hacker. Politicians are hackers for finding weaknesses in their opponents arguments, athletes are hackers for finding weaknesses in their opponents play styles, etc etc. There’s either a specific definition, and only an elite few are hackers, or every is a hacker and the means nothing.

      Either way, internet users are confused, and by defining EXACTLY what kind of people they need to be aware of, it can help inform users as to watch to watch out for. “Be careful of hackers on Facebook!” means nothing. “Be careful of social engineers/reverse-phishing” on Facebook!” instantly piques someone’s curiosity, as they are terms not normally heard.

      • http://www.facebook.com/dustinnewell Dustin Newell

        You don’t care how a community defines itself?  Thats no better than the general public who sees video game players as violent psychopaths biding their time before snapping and shooting up a school.  If you fail to understand the intent behind members of a system, you are in no position to judge or define that system.

        How many computer systems do you know of that were created with no human intervention?  Hacking exploits a mistake in code, a weakness not considered, a phone monkey with access to account information that doesn’t follow procedure.  It is generally accepted that hacking involves a computer system of some kind, not necessarily “The Internet” or “email” or “Windows” but all of these things.  Its on a computer.  The computer was designed by humans, both the hardware and the software.  It is operated by humans.  The path of least resistance is not always brute forcing code, hence social engineering and phishing.  Defining Hacking more narrowly for your own terms benefits no one.

        Advising people to have better best practices, such as diversifying your passwords, looking for SSL sessions on websites, not linking your accounts together to expose that vulnerability is more effective than classifying different approach vectors and saying “this is what it means if your OS is being hacked”  and “this is what it means if someone might be phishing you”.  The entire point of social engineering is to game a system or social hierarchy in a way to trick someone into giving you something they would give an authorized individual.  Its hard to guard against.

        • http://www.touchgen.com/ Matt Dunn

          Again, almost the entire point of the article is to show that the way the “hackers” define themselves is wrong. So yeah, that’s what I believe, which is why I wrote this in the first place. I’m not sure how I can be more clear with my statement that based on your definition of hacking, EVERYONE in the world who takes advantage of an exploit in any manner is also a “hacker”. This should not be the case in my opinion. Manipulating computer code and manipulating personal information are two completely different things. It doesn’t matter if computers were made by people.

          Here’s another analogy using the same logic that I see you using for your hacking definition. By your definition of hacking, a brain surgeon and a psychologist are both exactly the same thing because they both work with people’s brains. Nope, one works on manipulating brains physically, while the other works with understanding brains on a mental level. That doesn’t mean that a brain surgeon can’t also be a psychologist, but we wouldn’t then call all psychologists brain surgeons, now would we? If all the brain surgeons of the world held a conference and decided that because they work with brains, and brains are part of the human body, that all brain surgeons are officially psychologists, pediatricians, proctologists, urologists, etc etc etc, I would have issue with that, and think quite a lot of other people would too.

          If you still disagree with me, then I think I am done debating, because I think I’ve said everything I possibly can from my side of the subject. ;)

          • http://www.facebook.com/dustinnewell Dustin Newell

            You CLEARLY don’t understand my point, as illustrated by the straw men that you set up to knock down.  I’m not saying that anyone in the world who uses some form of exploit to accomplish a task or meet a goal is a hacker.  To suggest that I am saying that is ridiculous.  I’m saying that hackers have a variety of tools, a variety of skills, that are used for a variety of purposes to accomplish a given task in an electronic (usually computer) system.  I’m saying that discounting the use of these skills because they don’t require use of a computer is dangerous.  I’m saying that rather than try and explain all the different ways in which someone can be hacked, that we educate people in better computing and data practices so they can more generally protect themselves.  Dumpster diving, social engineering, and yes, what you define as hacking are all tools that real life hackers like Kevin Mitnick and Kevin Poulsen have used to execute a “hack”.

            Let me see if I can articulate that I understand your point, as written in your article.Social Engineers are not hackers.  Hackers sit in front of a computer terminal and find buffers to overrun, firewalls to breach and credit cards to steal from faulty SQL databases (for example).  If it doesn’t involve using a computer, it isn’t considered hacking.

            Beyond that point, I still don’t understand the need to draw a line, narrow the scope of a definition, make a distinction between those who possess computer skills to hack and those who can circumvent that need by gaming the system via social engineering.  You say it is to empower the users, to make them feel like they do have a chance because the people trying to steal their information are regular guys like you and me who happen to have some insight into how a system works to get access they shouldn’t have.  In what way would knowing the difference between a pure social engineering trick and a brute force hack or crack have helped Mat Honan?

            Have you ever heard of penetration testing?  It is something that some businesses do in which they hire a hacker to try and break into their system, so that they may find security flaws and fix them.  Now, when I say hacker, I don’t want you to picture some smelly teenager sitting in his basement drinking mountain dew.  Picture a college graduate who double majored in math and computer science.  This hacker will use every trick in the book, INCLUDING social engineering in attempt to gain access to the system.  If there is a flaw in how the humans in the system are providing access to information, it needs to be found and addressed with policy.

            That is not a theoretical definition of a hacker.  It is a real world example.

            Look, I agree with many of the points you wrote in your original article.  People blame hackers for impossible things.  I’ve spoken with these people on the phone.  People do have crappy data and computing practices that makes them vulnerable to all kinds of attacks, whether they are ‘true hacks’ via the computer or a cascading failure created by linking their accounts together and reusing the same username and password everywhere.  It is definitely a problem.  But I don’t think that dialing back what you consider to be a broad definition is going to do to help any of that.  I do disagree with you on that.  Are we done debating?

            • http://www.happilymarriednerds.com/ Matt

              I don’t see a point to continuing since we obviously have opposite opinions. I believe relabeling what hacking is will help inform people of what they need to protect themselves from, and you don’t. No big! Agree to disagree! :)